Richard Bejtlich's blog on digital security, strategic thought, and military history.

Friday, December 05, 2003

I commend the Debian project for detailing the exact timetable and methodology associated with their recent compromise. They posted a detailed report on the incident Tuesday. I found several points noteworthy. First, notice how they detected the intrusion. Sharp admins knew something was amiss, and a host-based IDS detected file changes:

"On the evening (GMT) of Thursday, November 20th, the admin team noticed several kernel oopses on master. Since that system was running without problems for a long time, the system was about to be taken into maintenance for deeper investigation of potential hardware problems. However, at the same time, a second machine, murphy, was experiencing exactly the same problems, which made the admins suspicious.

Also, klecker, murphy and gluck have Advanced Intrusion Detection Environment (package aide) installed to monitor filesystem changes and at around the same time it started warning that /sbin/init had been replaced and that the mtime and ctime values for /usr/lib/locale/en_US had changed."

Notice the intruder's actions:

"On Wednesday, November 19th, at approximately 5pm GMT, a sniffed password was used to log into an unprivileged developer account on the host klecker (.debian.org). The attacker then retrieved the source code through HTTP for an (at that time) unknown local kernel exploit and gained root permissions via this exploit. Afterwards, the SucKIT root-kit was installed.

The same account and password data were then used to log into the machine master, to gain root permissions with the same exploit and also to install the SucKIT root-kit...

On the next day the attacker used a password sniffed on master to log into gluck, get root there and also install the SucKIT root-kit."

How was all this password sniffing done? Were clear text protocols involved?